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SYSTEM AND METHOD FOR RULES- 
DRIVEN MULTI-PHASE NETWORK 
VULNERABILITY ASSESSMENT 

TECHNICAL FIELD OF THE INVENTION 

The present invention relates in general to network vul- 
nerability assessment and, more particularly, to a system and 
method for rules-driven multi-phase network vulnerability 
assessment. 

BACKGROUND OF THE INVENTION 

Network vulnerability assessment involves the detection 
of potential unauthorized uses and associated exploits 
(collectively "vulnerabilities") as they relate to computer 
networks, the devices that connect to such networks, and/or 
the subsystems that make up those devices. Network types 
can include, for example, the Internet, FDD1, token ring, etc. 
Devices can include routers, switches, workstations, per- 
sonal computers, printers, and other devices. Subsystems 
can include, for example, hardware types, operating 
systems, application programs, etc. 

Network vulnerability assessment can be highly complex 
because the vulnerabilities in a given network can depend 
upon the version and configuration of the network and upon 
the devices and subsystems coupled to the network. 
Additionally, networks can possess atomic as well as com- 
posite vulnerabilities. An atomic vulnerability can be a 
particular application running on a specific device port, for 
example SMTP. A composite vulnerability can result, among 
other reasons, because of the combination of two particular 
subsystems. For example, an operating system, such as 
WINDOWS NT 3.5, with a collection of certain subordinate 
applications can present composite vulnerabilities. 

Another difficulty for vulnerability assessment stems 
from the highly dynamic nature of network environments. 
Devices of known or unknown type can be added and 
removed from the network at any time. Additionally, differ- 
ent versions and types of subsystems can be introduced to 
the network. Each change or upgrade includes the potential 
for new or changed vulnerabilities to exist on that network. 

There are a number of conventional systems that attempt 
to assess the vulnerability of computer systems but are 
deficient for a variety of reasons. For example, Computer 
Oracle and Password System (COPS) is designed to probe 
for vulnerabilities on a host system. However, COPS does 
not maintain information across an entire network and can 
predict vulnerabilities only on a single host. Other conven- 
tional systems include System Administrator Tool for Ana- 
lyzing Networks (SATAN Suite) and Internet Security Scan- 
ner (ISS). These products can scan computer systems for 
vulnerabilities by active probing, analyze the collected data 
for vulnerabilities, and display the results. However, several 
disadvantages are associated with these products. For 
example, data collection and analysis are implemented as a 
single process. Such a methodology creates a prohibitively 
time consuming process. Furthermore, as new vulnerabili- 
ties are discovered or a network is changed, it is not possible 
to recreate a previous network configuration in order to test 
for the newly-discovered potential vulnerabilities. 

Additional problems with conventional systems include 
the fact that the analysis process can take a prohibitive 
amount of computing power as the network grows; as such, 
potential vulnerabilities can be missed. A further problem is 
that such conventional systems scan for live Internet Proto- 
col (IP) addresses on a network; therefore, vulnerabilities 
that exist on services that are not active during a scan can be 
missed. 
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SUMMARY OF THE INVENTION 

In accordance with the present invention, a system and 
method for rules-driven mutti-phase network vulnerability 
assessment are disclosed that provide significant advantages 

5 over prior developed systems. 

According to one aspect of the present invention, a 
method for network vulnerability assessment includes ping- 
ing devices on a network to discover devices with a con- 
nection to the network. Port scans are then performed on the 

10 discovered devices, and banners are collected as a result of 
the port scans. Information from the collected banners is 
stored as entries in a first database. Analysis is performed on 
the entries in the first database by comparing the entries with 
a rule set to determine potential vulnerabilities. The results 

15 of the analysis are then stored in a second database. 

In one embodiment, the method for network vulnerability 
assessment also includes performing host nudges on the 
devices and storing information from data received as 
entries in the first database. In another embodiment, the 

2Q method can include performing active data collection on the 
devices. 

In a further embodiment, the method for network vulner- 
ability assessment can include comparing an entry to a rule 
to determine an operating system represented by the entry. 
The entry and the operating system can then be compared to 

25 a second rule to determine a service. The entry and the 
service can be compared to a third rule to determine a 
potential vulnerability. 

According to another aspect of the present invention, a 
system is provided for network vulnerability assessment. 

30 The system includes an execution module operable to ping 
devices on a network to discover devices with a connection 
to the network. The execution module is further operable to 
perform port scans on the discovered devices and collect 
banners sent as a result of the port scans. The execution 

35 module is coupled to a first database and is operable to store 
information from the collected banners as entries in the first 
database. The execution module is also coupled to a rule set 
and is operable to perform analysis of the entries in the first 
database by comparing the entries with the rule set to 

40 determine potential vulnerabilities. The execution module is 
coupled to a second database for storing results of the 
analysis. 

It is a technical advantage of the present invention that the 
dimensionality of a network can be deduced from the 
45 perspective of its core attributes, such as device types, 
operating systems, services, and potential vulnerabilities. 

It is another technical advantage that a network 
configuration, once discovered, can be retained as a snapshot 
such that multiple rule sets can be run against that single 
50 configuration. 

It is a further technical advantage of the present invention 
that each host potentially connected to the network can be 
identified, and the appropriate vulnerabilities can be 
assessed. 

55 It is also a technical advantage that, once identified, 
potential vulnerabilities can be confirmed. 

It is another technical advantage of the present invention 
that the rule set can be implemented with an ASCII based 
prepositional logic system which allows ease of modifica- 
60 tion and extension. 

Other technical advantages should be apparent to one of 
ordinary skill in the art in view of the specification, claims, 
and drawings. 

6S BRIEF DESCRIPTION OF THE DRAWINGS 

A more complete understanding of the present invention 
and advantages thereof may be acquired by referring to the 
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following description taken in conjunction with the accom- In operation, devices such as workstations 12 can corn- 
panying drawings, in which like reference numbers indicate municate over network backbone 14. Workstations 12 can 
like features, and wherein: further communicate with external network 30 via network . sy^ 

FIG.lisablockdiagramofoneembodimentofanetwork backbone 14 and router 18. As i mentioned above, firewall 16 -gf 
environment that includes a system for network vulncrabil- 5 » intended to prevent unauthorized access from external ^ ^ 
ity assessment according to the present invention; " e,work 3 fi ° to ?™* s ""P^ «o internal network 10. ^ C- 

J n , However, firewall 16 is not capable of preventing all unau- 

FIG. 2 is a block diagram that includes configuration data thorized access ^ 
of one embodiment of a network that includes a system for According to the present invention, NVA engine 20 is «^ 
network vulnerability assessment according to the present ^ Qperable tQ perform network v^^y assessment. In ^ 
invention; general, this assessment is "multi-phase" in that it can be 

FIGS. 3A and 3B are flow diagrams of one embodiment carried out in multiple steps or phases. Furthermore, the 
of a method for network vulnerability assessment according assessment is "rules driven" in that network configuration 
to the present invention; information can be processed by rule sets to assess vulner- 

FIG. 4 is a flow diagram of a portion of one embodiment J5 abilities. An initial phase of the assessment can be a dis- 
of a prepositional logic rule set used network vulnerability covery phase. NVA engine 20 is operable to ping devices 
assessment according to the present invention; and coupled to network backbone 14 in order to identify all such 

FIG. 5 is a block diagram of one embodiment of an devices or systems that are so coupled. Such an operation 
analysis phase of one embodiment of a method for network can be called "host discovery." 

vulnerability assessment according to the present invention. 2 o Another phase of the assessment can be a data collection 

phase. NVA engine 20 can, for example, perform port scans 
on each device coupled to network backbone 14. NVA 
engine 20 can further receive banners from the scanned 
FIG. 1 is a block diagram of one embodiment of a network ports. For example, NVA engine 20 could open a connection 
environment that includes of a system for network vulner- 2 s 10 a P orl on workstation 12 and receive a telnet banner from 
ability assessment according to the present invention. As that port of workstation 12. NVA engine 20 can use such 
shown, the network environment can comprise devices that banner information to create and to maintain port database 
form an internal network, protection for the internal 22. For example, in internal network 10, port database 22 
network, and an external network. can include entries for each port that is available through 

The internal network, indicated generally at 10, can 30 router 18, firewall 16, and each of workstations 12. NVA 
comprise a plurality of workstations 12 coupled to a network engine 20 can continue the data collection phase by per- 
backbone 14. Network backbone 14 can comprise, for forming host nudges and/or active exploits on devices 
example, an intranet, FDD1, token ring, or other type of coupled to network backbone 14 in order to ascertain 
network backbone. Protection for internal network 10 can be configuration data of each device and port. A host nudge is 
provided by a firewall 16 and router 18 which are coupled 35 generally a non-invasive command that can be used to create 
to network backbone 14. Router 18 serves as a gateway the equivalent of a port banner. Examples of host nudges can 
between internal network 10 and an external network 30, be "showmount -e", "rpcinfo", or "GET/" (on HTTP port). 
External network 30 can be, for example, the Internet or An example of an active exploit could comprise, for 
other public network. Firewall 16 serves to limit external example, executing commands against a known service or 
access to resources in internal network 10 and protect these 40 sending data to an active port. Once established, port data- 
resources from unauthorized use. Internal network 10 fur- base 22 can comprise, for example, a snapshot of network 10 
ther comprises a network vulnerability assessment (NVA) at a given point in time. 

engine 20 coupled to network backbone 14. NVA engine 20 NVA engine 20 can then execute an analysis phase of the 

is coupled to and can communicate with a port database 22, assessment by applying rule set 24 to port database 22 and 
a rule set 24, and a datamine database 26. NVA engine 20 45 creating datamine database 26. The operation of the analysis 
can comprise, for example, software code executing on a phase can comprise, for example, the methodology shown in 
computing device such a SUN or INTEL based workstation. and described with respect to FIGS. 3B and 4. After this 
Alternatively, NVA engine 20 could be integrated into a process, datamine database 26 can include potential vulner- 
network device coupled to network backbone 14 such as abilities identified by NVA engine 20. Additionally, data- 
router 18 or firewall 16. Port database 22, rule set 24, and 50 mine database 26 can comprise a multi-dimensional data- 
datamine database 26 can comprise data stored in memory base that includes dimensions based upon the 
or fixed storage on the workstation or other device in which dimensionality of the internal network 10. NVA engine 20 
NVA engine 20 resides. Alternately, some or all of port can further perform active exploits on internal network 10 in 
database 22, rule set 24, and datamine database 26 could order to confirm the potential vulnerabilities identified in 
reside in fixed storage remote from the location of NVA 55 datamine database 26. 

engine 20. NVA engine 40 is operable to perform a similar vulner- 

In the embodiment of FIG. 1, external network 30 can ability assessment function as NVA engine 20. However, 
include a second router 32. A second NVA engine 40 can be NVA engine 40 is placed outside of internal network 10 and 
coupled to external network 30 via network connection 34. is external to router 18 and firewall 16. Such a placement can 
NVA engine 40 is coupled to and communicates with a 60 prevent NVA engine 40 from identifying potential vulner- 
second port database 42, a second rule set 44, and a second abilities of internal network 10 because firewall 16 may 
datamine database 46. As shown, an NVA engine can be prevent NVA engine 40 from gaining access to network 10. 
placed inside internal network 10, like NVA engine 20, or However, this placement gives NVA engine 40 a better view 
external to network 10, like NVA engine 40. The different of devices on external network 30. Additionally, NVA 
placement of NVA engines allows for access to different 65 engine 40 maybe able to make a vulnerability assessment of 
devices in internal network 10 and thus the NVA engines can router 18, wherein NVA engine 20 may be prevented from 
make different assessments of internal network 10. doing so because of firewall 16. 
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In implementation, NVA engines 20 and 40 can comprise 
executable software code residing on a computing platform. 
For example, NVA engines 20 and 40 could comprise 
executable code running on a PENTIUM PRO or SUN 
SPARC platform with a SOLARIS X86 V2.5x or V2.6 
operating system. Rule set 24 can be implemented as a text 
based (e.g., ASCII) language based upon prepositional logic. 
Such an implementation of rule set 24 has a technical 
advantage in that as new assessment capabilities are 
introduced, new rule sets 24 can be added to the system 
without the need to develop new software code for NVA 
engines 20 and 40. Such an implementation can also allow 
for efficient debugging of rule set 24, as it is human readable. 

FIG. 2 is a block diagram that includes configuration data 
of one embodiment of a network that includes a system for 
network vulnerability assessment according to the present 
invention. This diagram also shows the dimensionality of the 
network and its devices in terms of: device types, operating 
systems, services, and potential vulnerabilities. Internal net- 
work 10 of FIG. 2 comprises numerous devices including 
router 18, firewall 16, web server 50, workstations 52, 56, 
60, and 62, file server 54, printer 64, and terminal server 58. 
Each of these devices is coupled to network backbone 14. 
Similar to FIG. 1, NVA engine 20 is coupled to network 
backbone 14 and is coupled to and in communication with 
port database 22, rule set 24, and datamine database 26. 

In operation, NVA engine 20 is operable to perform a 
network vulnerability assessment of internal network 10. 
The assessment can include, as discussed with respect to 
FIG. 1, a discovery phase and data collection phase. By 
executing such processes, NVA engine 20 can identify the 
configuration of internal network 10 and uncover the various 
dimensions within internal network 10. For example, in the 
embodiment of FIG. 2, NVA engine 20 can identify the 
device type 70 of each device or system coupled to internal 
network 10. NVA engine 20 can further identify the oper- 
ating system 74 of each device and the services 78 available 
on each device. Such data can be incorporated into port 
database 22, for example, as entries populating fields of port 
database 22. 

The potential vulnerabilities 80 can also be identified by 
NVA engine 20. For example, the potential vulnerabilities 80 
shown in the embodiment of FIG. 2 can be the potential 
vulnerabilities inherent to the services 78 and operating 
system 74 of each device 70. In order to identify a particular 
potential vulnerability 80 on a particular device 70, NVA 
engine 20 can apply rule set 24 to port database 22. As 
discussed with respect to FIG. 1, such a process can be an 
analysis phase of the network vulnerability assessment. This 
assumes, of course, that router 18 and firewall 16 allow 
access to telnet service 78 from external network 30. After 
application of the rule set 24, NVA engine 20 can create 
datamine database 26 from the resulting data, and datamine 
database 26 can include potential vulnerabilities in internal 
network 10. NVA engine 20 can further perform active 
exploits on network 10 to confirm the identified potential 
vulnerabilities. 

FIGS. 3A and 3B are flow diagrams of one embodiment 
of a method for network vulnerability assessment according 
to the present invention. Such a method can be executed, for 
example, by NVA engine 20 of FIG. 2. At step 90, host 
discovery is performed. Host discovery can include, for 
example, pinging devices on a network in order to determine 
devices which are coupled to the network. At step 92, 
passive data collection is performed. For example, this can 
include collecting sign-on banners from active ports on a 
device. An example of a sign-on banner can be, for example, 
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a telnet barrier at a TCP port. Further examples of sign-on 
banners collected during this step, as shown in FIG. 3 A, are 
a Sendmail 5.6 banner collected from port 25 and a POP 
banner collected from port 110. This data collection activity 
5 can be "read only" activity and does not require interaction 
with an entity beyond opening a port. In this manner, it is 
"passive." 

Next at step 94, a preliminary analysis is performed. This 
analysis can include determining that a host nudge step 96 

10 and/or an active exploit step 98 are necessary. For example, 
at step 94, it can be determined if each host discovered in 
step 90 responded to the port scan of step 92. At step 96, a 
host nudge is performed, and at step 98, active exploits are 
performed, A host nudge can comprise, for example, "show- 
mount -e", "rpcinfo", or "GET /l" (on HTTP port). An 
example of an active exploit could comprise, for example, 
executing commands against a known service or sending 
data to an active port. Host nudge step 96 and active exploits 
step 98 are performed to further identify the complete 

2Q configuration of the network upon which the vulnerability 
analysis is performed. 

The information produced by steps 90, 92, 96, and 98 are 
then stored in a port database 22, for example, as entities in 
database fields. Port database 22 can thus provide a snapshot 

25 of the network at a given point in time. 

In the embodiment of FIG. 3 A, the host discovery at step 
90 can be considered the discovery phase of the network 
vulnerability assessment. Steps 92, 94, 96 and 98 can 
collectively be considered the data collection phase. After 

30 the creation of port database 22, an analysis phase can be 
performed, one embodiment of which is shown in FIG. 3B. 

FIG. 3B is a flow diagram of one embodiment of an 
analysis phase of the method for network vulnerability 
assessment according to the present invention. In the 

35 embodiment of FIG. 3B, port database 22 includes entries 
that comprise information collected in previous phases of 
the assessment. For example, entry 100 of port database 22 
can include information from a collected banner. Rule set 24 
can then be used to process port database 22. Rule set 24 can 

40 include rule parsing algorithm 99, operating system rules 
102, service rules 104, and vulnerability rules 106. Rule set 
24 can support incremental discrimination of type such that 
as rule parsing algorithm 99 is applied, for example, to entry 
100 of port database 22, type discriminations 101 can be 

45 determined. Rule set 24 can include, for example, a dis- 
criminator language based on prepositional logic that con- 
forms to a Baccus Noir Form. 

In operation, rule set 24 can be applied to each entry 100, 
and rule parsing algorithm 99 can be used to determine type 

50 discriminations 101 from entry 100. In the embodiment of 
FIG. 3B, three type discriminations 101 are derived from the 
example entry 100: operating system type, service type, and 
vulnerability type. First, rule set 24 can apply operating 
system rules 102 to entry 100. In the example of FIG. 3B, 

55 the discriminated operating system type 103 is SOLARIS. 
Rule parsing algorithm 99 can then take the operating 
system type 103 and further apply service rules 104 to entry 
100 to determine the service type 105. In the example of 
FIG. 3B, rule parsing algorithm 99 can determine that with 

60 a SOLARIS operating system and information from entry 
100, the service type 105 is SMTP. Rule parsing algorithm 
99 can next be used with vulnerabilities rules 106 to deter- 
mine that, with a SOLARIS operating system, an SMTP 
service, and information from entry 100, one potential 

65 vulnerability 107 is Sendmail Overflow. 

The embodiment of the analysis phase shown in FIG. 3B 
highlights a hierarchical nature of rule set 24. Such an 
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implementation provides a technical advantage in that it 
allows for rapid incremental discrimination of type of large 
amounts of data. Therefore, a device implementing the 
present methodology using such a rule set can quickly and 
efficiently assess the vulnerabilities of a network. 

FIG, 4 is a flow diagram of a portion of one embodiment 
of a prepositional logic rule set used in network vulnerability 
assessment according to the present invention. As discussed 
above, port database 22 can include entries 100 which 
include configuration information such as banners received 
in the host discovery phase. In the embodiment of FIG. 4, 
rule set 24 comprises prepositional logic elements 111, 115, 
and 119. Type discriminations 101, as discussed above, can 
then be determined from the application of rule set 24 to 
entries 100 in port database 22. 

In operation, entry 100 in port database 22 can initially 
include banner 110. Prepositional logic element HI can be 
applied to entry 110 to determine a type discrimination 101 
of "SOLARIS 2.x" operating system. Similarly, the ele- 
ments 115 and 119 of rule set 24 of FIG. 4 can further be 
applied to entries 114 and 118 to determine the type dis- 
crimination 49 of "FTP active" service and a "Sendmail 
Overflow" potential vulnerability. 

As shown in FIG. 4, rule set 24 can be expressed in an 
ASCII based prepositional logic language. In operation, 
NVA engine 20 can apply a given rule set 24 to port database 
22. If desired, rule set 24 can be exchanged with a new rule 
set. It is an advantage that such an exchange can be 
implemented without additional compilation of the NVA 
engine or other executable portion of the system. Further, 
rule set 24 can be extended to add custom rules needed by 
a particular network operator. 

FIG. 5 is a block diagram of one embodiment of an 
analysis phase of a method for network vulnerability assess- 
ment according to the present invention. In the embodiment 
of FIG. 5, multiple rule sets 24 and 124 are applied to port 
database 22 to generate two datamine databases 26 and 126. 
For example, port database 22 can represent a snapshot of a 
network at a given point in time. Rule set 24 can be applied 
to port database 22, and datamine database 26 can be 
created. Datamine database 26 can then include potential 
vulnerabilities of the network as represented by port data- 
base 22 and as analyzed using rule set 24. The assessment, 
however, is somewhat dependent upon rule set 24. If new, 
previously unknown potential vulnerabilities are discovered 
or if corrections to rule set 24 are needed, then a new rule 
set 124 can be created. This second rule set 124 can be 
applied to the same port database 22 to create a second 
datamine database 126 including a new representation of 
network vulnerabilities. It is a technical advantage of the 
present invention that a snapshot of a network at a given 
point in lime can be stored by port database 22 and that 
different vulnerability assessments can be performed on that 
snapshot using different rule sets. This advantage leads to 
more efficient debugging of rule sets as well as to more 
adaptive vulnerability assessment. 

Although described in terms of discrete "phases", those 
skilled in the art will recognize that the method and system 
of network vulnerability assessment of the present invention 
can also comprise an iterative process. For example, during 
the analysis phase it can be determined that blocks of 
configuration data in the port database are missing, and thus 
the system can return to the discovery phase to perform 
some further data gathering. Additionally, the present inven- 
tion can streamline the network vulnerability assessment by 
recognizing common network configurations. For example, 
most detection (i.e., discovery of the OS and service of each 
device) can be performed by gathering information, for 
example by a regex, from ports 21, 23, and 25 on a device. 
Much of the remaining needed information can be gathered 
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with a PERL regex to capture version information. There 
are, however, instances of specific configurations that can 
require specific knowledge in order to determine the con- 
figuration. For example, SGI can run IRIX operating system. 

5 Therefore, if SGI responds at port 25 on a device, the 
operating system could be IRIX. However, SGI may support 
other operating systems, so the determination of an IRIX 
operating system should only be made as a default — if no 
other operating system can be determined. Such a specific 

Q hierarchy of analysis can be performed by the rule set driven 
analysis, as discussed with respect to FIGS. 3A, 3B, 4, and 
5. 

Another embodiment of the present invention can include 
an active analysis phase for the purpose of confirming the 
potential vulnerabilities identified by the network vulner- 

35 ability assessment. Such a phase can comprise active 
exploits performed on the network against particular 
devices, services, or ports. Such an activity can be per- 
formed in real-time and thus it may be necessary to include 
a real-time data feed function into the datamine database. 

20 For example, such real time data insertion is described in 
U.S. patent application Ser. No. 09/107,790, entitled "Sys- 
tem and Method for Real-Time Insertion of Data Into a 
Multi-Dimensional Database for Network Intrusion Detec- 
tion and Vulnerability Assessment", pending, the disclosure 

25 of which is incorporated herein by reference. 

Although the present invention has been described in 
detail, it should be understood that various changes, substi- 
tutions and alterations can be made thereto without depart- 
ing from the spirit and scope of the invention as defined by 

30 the appended claims. 
What is claimed is; 

1. A computer implemented method for multi-phase rules- 
driven network vulnerability assessment, the method com- 
prising: 

35 pinging devices on a network to discover devices with a 
connection to the network; 
performing port scans on the discovered devices and 

collecting banners sent as a result of the port scans; 
storing information from the collected banners as entries 
40 in a first database to establish a network configuration; 
comparing the entries in the network configuration with 
more than one rule set to determine potential vulner- 
abilities; and 

storing results of the comparison in a second database, 
4 $ 2. The method of claim 1, further comprising performing 
host nudges on the devices and storing information from 
data received as entries in the first database. 

3. The method of claim 1, further comprising performing 
active data collection and storing information from data 

50 received as entries in the first database. 

4. The method of claim 1, wherein comparing comprises: 
comparing an entry in the network configuration to a rule 

to determine an operating system represented by the 
entry; 

55 comparing the entry to a second rule to determine a 
service; and 

comparing the entry to a third rule to determine a potential 
vulnerability. 

5. The method of claim 1, wherein the rule sets comprise 
60 a text based prepositional logic language. 

6. The method of claim 1, further comprising confirming 
a potential vulnerability by performing an active exploit. 

7. A system for multi-phase rules-driven network vulner- 
ability assessment, the system comprising: 

65 a first database for storing information from collected 
banners as entries; 
a plurality of rule sets; 



12/02/2003, EAST Version: 1.4.1 



US 6,324,656 Bl 



10 



a second database for storing results of a comparison; and 

an execution module coupled to the first database, the rule 
set, and the second database, the execution module 
operable to ping devices on a network to discover 
devices with a connection to the network, the execution 
module further operable to perform port scans on the 
discovered device and collect banners sent as a result of 
the port scans; 

the execution module operable to store information from 
the collected entries in the first database to establish a 
network configuration and compare the entries in the 
network configuration with more than one rule set to 
determine potential vulnerabilities; 

the execution module operable to store results of the 
comparision in the second database. 

8. The system of claim 7, wherein the execution module 
is further operable to perform host nudges on the devices and 
store information from data received as entries in the first 
database. 

9. The system of claim 7, wherein the execution module 
is further operable to perform active data collection and 
store information from data received as entries in the first 
database. 

10. The system of claim 7, wherein the execution module 
is operable to: 

compare an entry in the network configuration to a rule to 
determine an operating system represented by the 
entry; 

compare the entry to a second rule to determine a service; 
and 

compare the entry to a third rule to determine a potential 
vulnerability. 

11. The system of claim 7, wherein the rule sets comprise 
a text based prepositional logic language. 

12. The system or claim 7, wherein the execution module 
is further operable to confirm a potential vulnerability by 
performing an active exploit. 

13. A computer implemented method for multiphase 
rules-driven network vulnerability assessment, the method 
comprising: 

pinging devices on a network to discover devices with a 

connection to the network; 
performing port scans on the discovered devices and 

collecting banners sent as a result of the port scans; 
storing information from the collected banners as entries 

in a first database to establish a network configuration; 
comparing an entry in the first database to a rule to 

determine an operating system represented by the 

entry; 

comparing the entry to a second rule to determine a 
service; 

comparing the entry to a third rule to determine a potential 
vulnerability; and 

storing results of the comparing steps in a second data- 
base. 

14. The method of claim 13, further comprising perform- 
ing host nudges on the devices and storing information from 
data received as entries in the first database. 

15. The method of claim 13, further comprising perform- 
ing active data collection and storing information from data 
received as entries in the first database. 

16. The method of claim 13, wherein the rules comprise 
an ASCII based prepositional logic language. 

17. The method of claim 13, further comprising confirm- 
ing a potential vulnerability by performing an active exploit. 

18. Logic encoded in media for multi-phase rules-driven 
network vulnerability assessment and operable to perform 
the following steps: 



15 



20 



25 



30 



40 



45 



50 



55 



pinging devices on a network to discover devices with a 
connection to the network; 

performing port scans on the discovered devices and 
collecting banners sent as a result of the port scans; 

storing information from the collected banners as entries 
in a first database to establish a network configuration; 

comparing the entries in the network configuration with 
more than one rule set to detemine potential vulner- 
abilities; and 

storing results of the comparison in a second database. 

19. The logic of claim 18, further comprising the step of 
performing host nudges on the devices and storing informa- 
tion from data received as entries in the first database. 

20. The logic of claim 18, further comprising the step of 
performing active data collection and storing information 
from data received as entries in the first database. 

21. The logic of claim 18, wherein comparing comprises: 
comparing an entry in the network configuration to a rule 

to determine an operating system represented by the 
entry; 

comparing the entry to a second rule to determine a 
service; and 

comparing the entry to a third rule to determine a potential 
vulnerability. 

22. The logic of claim 18, further comprising the step of 
confirming a potential vulnerability by performing an active 
exploit. 

23. An apparatus for multi-phase rules-driven network 
vulnerability assessment comprising: 

means for pinging devices on a network to discover 
devices with a connection to the network; 

means for performing port scans on the discovered 
devices and collecting banners sent as a result of the 
port scans; 

means for storing information from the collected banners 
as entries in a first database to establish a network 
configuration; 

means for comparing the entries in the network configu- 
ration with more than one rule set to determine poten- 
tial vulnerabilities; and 

means for storing results of the comparison in a second 
database. 

24. The apparatus of claim 23, further comprising means 
for performing host nudges on the devices and storing 
information from data received as entries in the first data- 
base. 

25. The apparatus of claim 23, further comprising means 
for performing active data collection and storing information 
from data received as entries in the first database. 

26. The apparatus of claim 23, wherein means for com- 
paring comprises: 

means for comparing an entry in the network configura- 
tion to a rule to determine an operating system repre- 
sented by the entry; 

means for comparing the entry to a second rule to deter- 
mine a service; and 

means for comparing the entry to a third rule to determine 
a potential vulnerability. 

27. The apparatus of claim 23, further comprising means 
for confirming a potential vulnerability by performing an 
active exploit. 
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